Re: bsh (BeanShell) security vulnerability (CVE-2016-2510)

To: Markus Koschany <apo@debian.org>
Cc: team@security.debian.org, debian-java@lists.debian.org
Subject: Re: bsh (BeanShell) security vulnerability (CVE-2016-2510)
From: Stian Soiland-Reyes <stain@apache.org>
Date: Mon, 29 Feb 2016 12:08:54 +0000
Message-id: <[🔎] CAMBJEmXnNYMVeAGR9U-JE533hHVcas1G3uBRsYL6KrvVVoA02g@mail.gmail.com>
In-reply-to: <[🔎] 56D05866.80102@debian.org>
References: <[🔎] CAMBJEmU3hFuN4k7wrnhAgLtQxnCDH0joQO0A_9m=KXeJzA5xkQ@mail.gmail.com> <[🔎] 56D05866.80102@debian.org>

Yes, that looks like it should be sufficient to fix the exploit both
for java.util deserialization and xmlbeans deserialization.

On 26 February 2016 at 13:51, Markus Koschany <apo@debian.org> wrote:
> Am 19.02.2016 um 13:10 schrieb Stian Soiland-Reyes:
>> Hi,
>>
>> BeanShell aka bsh has released a security fix 2.0b6:
>>
>> https://github.com/beanshell/beanshell/releases/tag/2.0b6
>>
>> It has been reported to MITRE as CVE-2016-2510.
>
> Hi Stian,
>
> I intend to backport your changes to fix CVE-2016-2510. Looking at the
> relevant commits, I could condense the changes to create the attached
> patch. Could you take a look at it and confirm that this is sufficient?
>
> Regards,
>
> Markus
>



-- 
Stian Soiland-Reyes
Apache Taverna (incubating), Apache Commons RDF (incubating)
http://orcid.org/0000-0001-9842-9718

Reply to:

References:
- bsh (BeanShell) security vulnerability (CVE-2016-2510)
  - From: Stian Soiland-Reyes <stain@apache.org>
- Re: bsh (BeanShell) security vulnerability (CVE-2016-2510)
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Re: Tomcat 6 security vulnerabilities in Wheezy
Next by Date: Re: plans for eclipse luna in debian
Previous by thread: Re: bsh (BeanShell) security vulnerability (CVE-2016-2510)
Next by thread: Professional Multilingual Translation Services !!
Index(es):
- Date
- Thread